CCNA Exam 640-553 Exam Cram: Implementing Secure Management and Hardening the Router
- Planning for Secure Management and Reporting
- Using Cisco SDM and CLI Tools to Lock Down the Router
- Exam Prep Questions
- Answers to Exam Prep Questions
Terms You’ll Need to Understand:
- Syslog Protocol (syslog)
- Out-of-band (OOB)
- In-band
- Simple Network Management Protocol (SNMP)
- Secure Shell (SSH) daemon
- Network Time Protocol (NTP)
- Simple Network Time Protocol (SNTP)
- Gratuitous Address Resolution Protocol (GARP)
- Proxy Address Resolution Protocol (ARP)
- AutoSecure
Exam Topics Covered in This Chapter:
- Secure Cisco routers using the SDM Security Audit feature
- Use the One-Step Lockdown feature in SDM to secure a Cisco router
- Secure the Cisco IOS image and configuration file
- Use CLI and SDM to configure SSH on Cisco routers to enable secured management access
- Use CLI and SDM to configure Cisco routers to send Syslog messages to a Syslog server
Secure management and reporting is an integral part to a comprehensive security policy. This chapter outlines some methods to protect the confidentiality of remote sessions to the router, either by encrypting the communication or ensuring that these remote administrative sessions do not cross the cables of a hostile network. In security terms, we look at methods to separate the data plane from the management plane. We also look at ways to implement reporting in such a way as to guarantee the integrity and confidentiality of the events logged.
In the last chapter, Chapter 3, “Security at the Network Perimeter,” we took a large step toward securing the login system on the IOS router from both access and DoS attacks. We assumed that because the router was a perimeter device and, therefore, the first device that an attacker would see as they tried to crack the network, that security would start there. We didn’t finish the tasks necessary to completely harden the router from attack, choosing to defer these steps until now. Using an analogy, if our router is a knight that we deploy on the battlements of a fortress to ward against attack, doesn’t it make sense that we equip him with armor so he can protect himself as well? If he is felled by the first arrow that an attacker fires at him, we should rethink our security architecture. To that end, we will look at interactive and automated ways to both audit the router for security vulnerabilities and, more importantly, fix them based on best practices and Cisco’s recommendations.
Planning for Secure Management and Reporting
Secure management and reporting is too often applied on top of a secure architecture as an afterthought rather than being designed into the solution from the beginning. Some hard questions need to be asked early on in the design because they bear on the implemented secure architecture. These questions are typically asked during the Initiation phase and answered during the Acquisition and Development phase of the Cisco Secure Network Life Cycle first introduced in Chapter 2, “Building a Secure Network Using Security Controls.” In general, what types of activity need to be logged and what protocols and devices are required to perform these functions will determine the technology deployed during the Implementation phase of the Cisco Secure Network Life Cycle.
Planning for secure management and reporting is based on guidelines set out by the comprehensive security policy. Several questions need to be answered before secure management and reporting can be integrated into the network security architecture design and then configured. The questions that need to be answered can be grouped into two broad categories, as follows:
- “What to log (or report)?” questions.
- “How to log (or report)?” questions.
Let’s break this down a bit further.
What to Log
Issues that bear heavily on the first question would be whether the data collected might be used for forensic purposes in investigating a possible network compromise or possibly for criminal prosecution. Rules of evidence, chain of custody, timestamps on log entries, and so on would need to be laid out. The answers to these questions will lead to administrative controls. Some helpful questions include the following:
- What are the most critical events to log?
- What are the most important logs?
- What log data may be required for forensic investigation and prosecution?
The answers to these questions are specific to the organization and thus vary. For example, an organization that is planning to prosecute a possible network compromise in criminal court would be well advised to log all successful and unsuccessful network login attempts, as well as users’ activity once logged on and place timestamps on the events logged with a common clock synchronized from a recognized time source. On the other hand, an Internet Service Provider (ISP) that simply needs to keep track of login activities for billing purposes might simply need logs that reflect accurate network login and logoff by users.
How to Log
After the administrative controls have been put in place that set out what needs to be logged, then the mostly technical controls that define how the events will be logged can be laid out.
We saw in Chapter 2, “Building a Secure Network Using Security Controls,” that Cisco has a number of solutions as part of the Cisco Integrated Security Portfolio. These solutions include security management products for multiple devices like Cisco Security MARS, with integral logging and report generation facilities for large networks. Here are some useful questions to ask when deciding on the technical controls needed to report and log events in the network:
- How can the integrity of both the logs, as well as the communication channels in which the log messages flow, be assured?
- How can the confidentiality of both the logs, as well as the communication channels in which the log messages flow, be assured?
- How do you deal with the copious amounts of log messages?
- How do you ensure that logs all use timestamps from the same clock to properly correlate events with logs, as well as logs with other logs?
- How can messages be prioritized so that critical messages are separated from routine messages?
- How can changes be reported when network outages or attacks occur?
- How do you log events from several devices in one central place?
These questions will be answered in the subsequent sections using the Cisco Secure Life Cycle as a guideline.
Reference Architecture for Secure Management and Reporting
So many questions! Nevertheless, these types of questions must be answered before the acquisition and integration of technology is considered. We will not try to answer these questions now, so we will take a shortcut and assume that they have been adequately answered in the reference architecture that we will be using for the subsequent sections in this chapter.
Figure 4.1 represents a typical architecture for secure management and reporting. It leverages on technologies that the reader would have examined in their CCNA studies, particularly in its use of VLANs to separate the traffic inside the network perimeter into different planes. It will serve as a simple visual tool to provide context for several of the Implementation phase guidelines that will be recommended presently.
Figure 4.1 Reference architecture for secure management and reporting.
The following is a quick explanation of the reference architecture in Figure 4.1. A Cisco IOS firewall with VPN is protecting an organization’s network.
The firewall has three interfaces on it. The interfaces are connected to the following:
- The Internet
- An inside production network
- An IEEE 802.1Q trunk to a Cisco Catalyst layer 2 Ethernet switch
Here is an explanation of some of the other security features found in the reference architecture:
- Ports on the Cisco Catalyst switch are configured in several VLANs (four pictured).
- The Cisco IOS firewall is routing among these VLANs (router-on-a-stick).
- ACLs on the Cisco IOS firewall manage traffic between the different VLANs. (See Chapter 5, “Using Cisco IOS Firewalls to Implement a Network Security Policy.”)
- The firewall is stateful (see Chapter 5) and supports a remote access IPsec VPN for management (see Chapter 7, “Virtual Private Networks with IPsec”).
Deployed in different VLANs are the following:
- Cisco Security MARS Appliance
- SNMP Server
- Cisco Secure Access Control Server (ACS)
- System Administrator PC
- Terminal Server (Used to connect to the console ports of all the network devices.)
- Production Network
Secure Management and Reporting Guidelines
Recall the five steps of the Cisco Secure Network Life Cycle. Clearly, we had some productive meetings and answered the “how to log” and “what to log” questions during the Initiation and Acquisition and Development phases. Here are some of the guidelines that will be followed in the Implementation phase of Cisco’s Secure Network Life Cycle:
General Management Guidelines:
- Synchronize clocks on hosts and network devices.
- Document changes and make backups of configurations.
OOB Management Guidelines:
- Find solutions that mitigate the risk of transmitting unsecure management protocols over production networks.
In-Band Management Guidelines:
- Only manage devices that require monitoring or managing
- Use encryption (IPsec, SSL, SSH) whenever possible.
- Determine if management channel has to be open at all times.
The remaining material in this section addresses these guidelines in detail.
Logging with Syslog
Referring to Figure 4.1, you could deploy a syslog server in one of the private VLANs on the inside of the network. The syslog server would accept messages from any device that is configured as a syslog client—the Cisco IOS firewall, for example. Other network devices and other IP hosts like a public web server or a mail server could be set up to be syslog clients. There are several advantages to having a central syslog server logging events from a number of different sources. As previously discussed, care has to be taken to ensure that the integrity of the log files is assured, and that the communication path between the syslog server and its clients is not compromised. This is where OOB management and in-band management decisions are made. Also, best practices dictate that the devices’ clocks should be synchronized to a recognized time source using the Network Time Protocol (NTP).
Cisco Security MARS
Logging to a central syslog server is not only part of the solution but potentially also part of the problem. The biggest issue is the enormity of the task of sifting through the resulting information, correlating the events from several different network devices and application servers and taking different types of actions based on a vulnerability assessment of the incident.
This is what Cisco Security MARS can do. Because Cisco Security MARS understands the complete network topology, MARS can intelligently analyze security events and help focus security staff’s efforts in solving the potential problems. For example, false positives are more accurately detected. For example, MARS is used as a reporting and event correlation tool in Chapter 8, “Network Security Using Cisco IOS IPS.” MARS sees the entire security architecture and thus sees security events in their complete context. It is a very complex and useful tool for reporting on security events. MARS is introduced in Chapter 2, “Building a Secure Network Using Security Controls.”
Where to Send Log Messages
Syslog is a key security policy component, but routers should also be configured to send log messages to one or more of these items:
- Console. Physical terminal lines.
- Vtys. Virtual terminal lines.
- Buffered Logging. Internal router circular buffer.
- SNMP Traps. Event-triggered messages to SNMP server.
- Syslog. External syslog server.
Log Message Levels
Not all messages are as important as others. Some messages are simple system level warnings, whereas others may denote real system emergencies that require immediate human intervention as the system is unusable. For example, an attacker may craft an attack that creates a DoS on a router system, resulting in emergency log messages. If no one’s listening, no one knows!
Table 4.1 lists and explains the log severity levels. The “Log String” denotes how the log level appears in a log message.
Table 4.1. Cisco Log Severity Levels
Level |
Log String |
Name |
Description |
0 |
LOG_EMERG |
Emergencies |
Router unusable |
1 |
LOG_ALERT |
Alerts |
Immediate action required |
2 |
LOG_CRIT |
Critical |
Condition critical |
3 |
LOG_ERR |
Errors |
Error condition |
4 |
LOG_WARNING |
Warnings |
Warning condition |
5 |
LOG_NOTICE |
Notifications |
Normal but important event |
6 |
LOG_INFO |
Informational |
Informational message |
7 |
LOG_DEBUG |
Debugging |
Debug message |
Log Message Format
See Figure 4.2 for the log message format. The example is a level 4 syslog message from an IOS IPS, indicating that a user is attempting to communicate using the MSN Messenger instant messenger (IM) application. The organization’s security policy might forbid the use of IM from its workstations, in which case this potential breach may constitute useful evidence for disciplinary purposes.
Figure 4.2 Log message format.
Enabling Syslog Logging in SDM
Cisco Security Device Manager (SDM) is introduced and examined in Chapter 3, “Security at the Network Perimeter.” Figure 4.3 illustrates how to navigate to the screen to configure syslog on the router.
Figure 4.3 Enabling Syslog logging in SDM.
Starting at the Cisco SDM homepage, follow these steps to enable and configure syslog logging on the Cisco IOS router:
- Choose Configure->Additional Tasks->Router Properties->Logging.
- Click Edit in the logging pane.
- Check the Enable Logging Level check box in the Logging Window and choose the logging level desired from the Logging Level list box.
- Click Add. In the resulting IP Address/Hostname field, enter the IP address of a logging host (syslog server).
- Click OK and then OK again to return to the Logging pane.
You can use Cisco SDM to monitor the internal buffer log, as well as messages that have been sent to syslog servers by choosing Monitor->Logging and selecting the Syslog tab in the Logging window.
Using SNMP
The Simple Network Management Protocol (SNMP) has long been deployed in networks to provide for central management of many types of network devices. There are, however, some notable security flaws in the original implementations of this very important protocol, SNMP version 1 and version 2. The protocol remains a valuable tool, and there will likely be a business case for its use. The vulnerabilities of the protocol will be outlined and discussed, as well as strategies for mitigating them, including the use of (the much newer) SNMP version 3.
SNMP Version 1 and 2 Architecture
The Simple Network Management Protocol (SNMP) enables an administrator to configure, manage, and view information on devices and IP hosts. One advantage of SNMP is that it is vendor-neutral, meaning that a common SNMP architecture can be used for many vendors’ products. There are three main elements to the SNMP architecture:
- Manager. Network Management System (NMS). Can retrieve (get) information from agents or change (set) information in the MIB on agents.
- Agent. Managed Node. Agents can send traps when system events occur and respond to sets (configuration commands) and gets (information queries).
- MIB. Management Information Base. This is the database of information contained on the agent.
Referring to Figure 4.1, the Cisco Catalyst switch and Cisco IOS firewall could be SNMP agents. The NMS is configured OOB in its own VLAN on an inside network protected by the stateful Cisco IOS firewall.
SNMP v1 and v2 Community Strings
One of the vulnerabilities of SNMP v1 and v2 architecture is that messages are authenticated using cleartext community strings. Community strings have the following attributes:
- Essentially used for password-only authentication of messages between the NMS and the agent.
- Read-only (RO) strings are used to get information only from an agent’s MIB.
- Read-write (RW) strings are used to set and get information on an agent.
SNMP Version 3 Architecture
SNMP Version 3 has the following improvements relative to SNMP Version 1 and 2:
- Messages may be encrypted to ensure confidentiality.
- Messages may be hashed to ensure integrity.
- Messages may be authenticated to ensure authenticity.
SNMP v1, v2, and v3 Security Models and Levels
Here is some other useful terminology that should be understood when deploying SNMP:
- Security Model. The security strategy used by an SNMP agent.
- Security Level. Provides a level of granularity within the security model. It is the permitted level of security within the security model.
Let’s look at an example: Referring to Table 4.2, find the noAuthNoPriv security level within SNMPv3.
Table 4.2. SNMP Security Models and Levels
SNMP Ver |
Security Level |
Authentication |
Encryption |
Note |
1 |
noAuthNoPriv |
Community String |
No |
Authenticates with community string. |
2c |
noAuthNoPriv |
Community String |
No |
Authenticates with community string. |
3 |
noAuthNoPriv |
Username |
No |
Authenticates with username. |
3 |
authNoPriv |
MD5 or SHA |
No |
Authenticates with HMAC-SHA or HMAC-MD5. |
3 |
authPriv |
MD5 or SHA |
Yes |
Authenticates with HMAC-SHA or HMAC-MD5. |
Encrypts with DES, 3DES, or AES ciphers. |
At the noAuthNoPriv security level, SNMP v3 uses a username. SNMP v3 is downward-compatible with SNMP v1 and v2 if the username only is used. The username remains cleartext, as is the case with the community string in SNMP v1 and v2.
Enabling and Configuring SNMP with Cisco SDM
To enable the SNMP agent on the IOS router and configure it to respond to SNMP gets, follow these steps in the Cisco SDM:
- Choose Configure->Additional Tasks->Router Properties->SNMP starting at the SDM homepage.
- Click the Edit button, as shown in Figure 4.4.
Figure 4.4 Enabling and configuring SNMP with Cisco SDM.
- Check the Enable SNMP checkbox in the SNMP Properties pane.
- As shown in Figure 4.4, click Add and fill in the Community String in the Community String dialog box. Click either the Read-Only or Read-Write radio buttons.
- Click OK.
Adding an SNMP Trap Receiver
While we’re at the SNMP settings page, we can set up a trapping receiver for unsolicited SNMP messages to an SNMP server:
- Starting at the SNMP pane in Cisco SDM, click Edit. The SNMP Properties window displays, as shown in Figure 4.5.
Figure 4.5 Adding an SNMP trap receiver using Cisco SDM.
- Click Add to add a new trap receiver in the Trap Receiver section of the SNMP Properties window.
- Enter the IP address (or hostname) and password of the NMS, which is acting as the trap receiver.
- Click OK to finish adding the trap receiver.
Configuring the SSH Daemon
In order to ensure that management sessions to the router are confidential, Secure Shell (SSH) is recommended. With respect to the reference architecture in Figure 4.1, SSH could be used to the Catalyst switch and the IOS firewall.
SSH is essentially encrypted Telnet. As such, it should be used instead of Telnet wherever possible, particularly where in-band management of a device is required. There are two versions of SSH:
- Version 1. Cisco IOS Release 12.1(1)T and later.
- Version 2. Cisco IOS Release 12.3(4)T and later. This is more secure than version 1.
Enabling SSH Using Cisco SDM
The following are prerequisite tasks for enabling SSH using Cisco SDM:
- Ensure that you have the right release of the Cisco IOS Software image. Only images that contain the IPsec feature set will support the SSH daemon.
- The target systems must be configured with AAA (either local or external) because SSH requires the use of a username and password.
- Ensure that target systems have unique fully-qualified domain names (FQDNs) if you are using the device’s FQDN to SSH to.
- The domain name must also be set on any device running the SSH daemon because the RSA keys (see the following steps) will not generate without the domain name set.
Using the Cisco SDM, follow these steps to enable SSH on the IOS router:
- Choose Configure->Additional Tasks->Router Access->SSH.
- If the Generate RSA Key button is grayed out (as shown in Figure 4.6), this means that the RSA key exists and SSH is enabled on the router. If the Generate RSA Key button is available, press it and follow the prompts to generate a key with a modulus between 512 and 2048 in 64-bit increments. The larger the modulus, the longer it will take to generate the key.
Figure 4.6 Enabling the SSH daemon using the Cisco SDM.
- Click OK.
- Now that we have the SSH daemon operational, we should be able to SSH to it, right? Wrong! Remember what we do with policies; we have to apply them somewhere. SSH has to be enabled on the vty lines. This is accomplished in the Cisco SDM by choosing Configure->Additional Tasks->Router Access->VTY. Figure 4.7 shows the Edit VTY Lines dialog box.
Figure 4.7 Edit VTY lines in the Cisco SDM.
Here are the equivalent CLI commands:
CiscoISR(config)#ip domain-name example.com CiscoISR(config)#crypto key zeroize rsa % All RSA keys will be removed. % All router certs issued using these keys will also be removed. Do you really want to remove these keys? [yes/no]: yes CiscoISR(config)#crypto key generate rsa general-key modulus 1024 The name for the keys will be: CiscoISR.example.com % The key modulus size is 1024 bits % Generating 1024 bit RSA keys, keys will be non-exportable...[OK] CiscoISR(config)#ip ssh time-out 120 CiscoISR(config)#ip ssh authentication-retries 4 CiscoISR(config)#line vty 0 4 CiscoISR(config-line)#transport input ssh CiscoISR(config-line)#end CiscoISR#
Configuring Time Features
The Cisco SDM enables you to manually:
- Synchronize the router’s clock to the local PC clock.
- Edit the router’s date and time.
Network Time Protocol
Assuming that our security policy requires that all of our network devices have their clocks synchronized to a single, recognized time source, manual setting of the router clock is not an option. We will choose to set the router’s clock with a Network Time Protocol (NTP) source. An organization can set up its own master time source (preferably OOB) or synchronize from a public time server on the Internet.
A few important notes:
- NTP uses UDP port 123 and is considered secure.
- Simple Network Time Protocol (SNTP) is a simpler and less secure version of NTP.
- NTP version 3 (NTPv3) and above implement cryptography and authentication between NTP peers (client and server).
You must be careful when synchronizing from an NTP server. Rules of evidence might require you to prove that you are using an unimpeachable source of information to synchronize your devices’ clocks if you want to use your logs in the course of a criminal proceeding. This makes using Internet time sources problematic. This might be mitigated somewhat by using your own master time server, but if you are synchronizing it from an Internet time source, you are back to where you started. Therefore, your master time server may need to be synchronized by radio or satellite to meet the security standards required by the security policy.
Figure 4.8 illustrates the steps to add an NTP server using the SDM. Starting at the Cisco SDM homepage, here are the steps required to add an NTP server:
- Choose Configure->Additional Tasks->Router Properties->NTP/SNTP.
- Click Add to add a new NTP server. The Add NTP Server Details window appears.
Fill in the details about your NTP server in the Add NTP Server Details window.
- (optional) You can select the source interface for your NTP packets from the NTP Source Interface drop-down box.
- (optional) If this is the preferred NTP server, check the Prefer check box. This server will be checked before other servers. You can have more than one preferred server.
- Check the Authentication Key check box if the NTP server requires authentication and fill in the values.
- To finish adding the server, click OK.
Figure 4.8 Configuring NTP in the Cisco SDM.